“Cash on ad” was a new an innovative technique on the advertising industry. After installing an app on your android phone you will be paid for watching ads. That app will play an advertisement each time u receive a call. And the company behind will pay you few cents for viewing the ad.
F1 soft had released such app and I was curious to try it. Installed it and it works well. But the sad fact is that I rarely receive call and hence the earning is negligible.
Taking advantage of my rooted Galaxy Pop GT-S5570, I explored the internal database of this app. I was amazed to see that all the records are on plain text. Few records are on XML file and few records are on sqlite database and all are readable.
Then after I started writing an app for android to exploit this app’s record keeping. I wrote an app which will modify the target app’s XML and database. I named it <a href=”https://github.com/scvishnu7/CashOnClick” > CashOnClick. </a> Which basically have a button clicking which is equivalent to receiving a call from the prospects of CashOnAd.After that I registered an fake account on CashOnAd and then use my app to manually increment my balance.
They have minimum transaction threshold of $1 and it took me 100 clicks i.e. 2/3 days.And then I did the transaction.After their manual verification I got paid $1 to my ESewa account.
Then after I mailed them about this vernability. Later on they patched this vernability by encrypting their database and XML files. Still while decompiling the app I had seen their encryption passwords along with the library used for encryption.
For now they loose my interest as they have rate limit on ad per day.